You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Remember cookie set on page loads when REMEMBER_COOKIE_REFRESH_EACH_REQUEST is set to True, regardless of whether a remember cookie was set when the user logged in
#824
Open
ljsebald opened this issue
Nov 14, 2023
· 0 comments
Describe the bug
A remember cookie is set for users on every page load if the REMEMBER_COOKIE_REFRESH_EACH_REQUEST configuration option is set to True, even if a remember cookie was not set when the user is logged in initially by calling the login_user function.
To Reproduce
Steps to reproduce the behavior:
Set app.config['REMEMBER_COOKIE_REFRESH_EACH_REQUEST'] = True.
Call login_user(..., remember=False)
Observe that the remember cookie is set.
Expected behavior
A remember cookie should not be set if the user is logged in with remember=False. Or the documentation for that configuration option should emphasize that setting the option to True will cause a remember cookie to always be set.
Additional context
I believe that the problem is caused by the fact that login_manager._update_remember_cookie will set the session["_remember"] to "set" if that variable is not set in the user's session and the configuration option mentioned above is also set. When calling login_user with remember=False, that variable is not set in the user's session at all.
The text was updated successfully, but these errors were encountered:
Issue maxcountryman#824. Before, if a user was logged in with the login_user function when the remember parameter was set to false, their cookies would still be refreshed if the "REMEMBER_COOKIE_REFRESH_EACH_REQUEST" configuration option was set to true. This happens because if the login_user function has the remember parameter be false, it doesn't assign session["_rememeber"] any value. When session["_rememeber"] doesn't have any value and the "REMEMBER_COOKIE_REFRESH_EACH_REQUEST" configuration option is set to true, the _update_remember_cookie function sets the session["_rememeber"] value to "set". This fix makes it so if the login_user function is given false for the remember parameter, instead of leaving session["_remember"] empty, it sets the value to "unset".
Describe the bug
A remember cookie is set for users on every page load if the
REMEMBER_COOKIE_REFRESH_EACH_REQUEST
configuration option is set to True, even if a remember cookie was not set when the user is logged in initially by calling thelogin_user
function.To Reproduce
Steps to reproduce the behavior:
app.config['REMEMBER_COOKIE_REFRESH_EACH_REQUEST'] = True
.login_user(..., remember=False)
Expected behavior
A remember cookie should not be set if the user is logged in with
remember=False
. Or the documentation for that configuration option should emphasize that setting the option to True will cause a remember cookie to always be set.Additional context
I believe that the problem is caused by the fact that
login_manager._update_remember_cookie
will set thesession["_remember"]
to"set"
if that variable is not set in the user's session and the configuration option mentioned above is also set. When callinglogin_user
withremember=False
, that variable is not set in the user's session at all.The text was updated successfully, but these errors were encountered: